Ann, a member of the finance department at a large corporation, has submitted a suspicious email she received to the information security team.
The team was not expecting an email from Ann, and it contains a PDF file inside a ZIP compressed archive.
The information security team is not sure which files were opened.
A security team member uses an air-gapped PC to open the ZIP and PDF, and it appears to be a social engineering attempt to deliver an exploit.
Which of the following would provide greater insight on the potential impact of this attempted attack?
Click on the arrows to vote for the correct answer
A. B. C. D. E.C.
In this scenario, the information security team received a suspicious email from a member of the finance department containing a PDF file inside a ZIP compressed archive. The team is not sure which files were opened and a security team member used an air-gapped PC to open the ZIP and PDF, revealing it as a social engineering attempt to deliver an exploit. To gain greater insight on the potential impact of this attempted attack, the following options can be considered:
A. Run an antivirus scan on the finance P: Running an antivirus scan on the finance P can identify any malware or viruses that may have been installed on the system as a result of the attack. However, this approach does not provide insight into the potential impact of the attack or the extent of the compromise.
B. Use a protocol analyzer on the air-gapped P: Using a protocol analyzer on the air-gapped PC can reveal the network traffic generated by the attack, providing insights on how the attacker accessed the system, what they did once they gained access, and what data they exfiltrated. However, this approach may not be effective in detecting all types of attacks.
C. Perform reverse engineering on the document: Reverse engineering the document can provide valuable insights on how the exploit was delivered, how it works, and what vulnerabilities it targets. This information can be used to develop mitigation strategies and patch vulnerable systems. However, this approach requires specialized knowledge and can be time-consuming.
D. Analyze network logs for unusual traffic: Analyzing network logs for unusual traffic can help identify suspicious activity, such as network connections to suspicious IP addresses or unusual data transfers. This approach can provide insights into the scope and extent of the attack, the data that was accessed or exfiltrated, and the techniques used by the attacker. However, this approach may require extensive resources and may not be effective in detecting all types of attacks.
E. Run a baseline analyzer against the user's computer: Running a baseline analyzer against the user's computer can help identify any changes or anomalies in the system's configuration or behavior, providing insights into the extent of the compromise and the techniques used by the attacker. This approach can be particularly useful in detecting attacks that evade traditional detection methods. However, this approach requires specialized knowledge and can be time-consuming.
In summary, all of the options listed above can provide valuable insights into the potential impact of the attempted attack. The most appropriate option depends on the specific circumstances of the attack, the resources available, and the organization's overall security posture. Therefore, a combination of these options may be required to gain a comprehensive understanding of the attack and develop effective mitigation strategies.